Hotspot redirect does not work when using HTTPS

David1234 · July 14, 2016, 6:52am

why?
I understand that the hotspot “stop” this
but is there any way to redirect all traffic before connecting the hotspot from port 443 to port 80 ?
so it will give the users the login page ?

I see there is a rule the hotspot create

chain=hotspot protocol=tcp Dst. Port=443 hotspot=local-dst acation=redirect To-ports=64875

but when I try to enter but https - I don’t see any packet , stay on 0
so what can I do ?
Thanks ,

agnostic · July 14, 2016, 9:40am

first of all you need create a self signed certificate from System->Certificates menu (search forum how to create) then you need to enable hotspot https login by Ip->Hotspot->Sever profiles->{your profile}-> Login and chech https and below select your self signed certificate you just made.
Congratulations you now can access hotspot by https and redirect from any visited page (https) but with a nasty browser warning because thats the way it works. no other way neither redirecting to http works. no browser allows it any more.

David1234 · July 14, 2016, 10:01am

do I have to do all it said here - http://wiki.mikrotik.com/wiki/Manual:Create_Certificates

this is what I did -

/certificate add name=tamplate common-name=myCa key-usage=key-cert-sign,crl-sign
/certificate sign tamplate ca-crl-host=192.168.100.254 name=myCa                
/certificate set myCa trusted=yes
/certificate export-certificate myCa 
/certificate print                
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #          NAME                            COMMON-NAME                          SUBJECT-ALT-NAME                                                       FINGERPRINT                         
 0 K L A  T myCa                            myCa                                                                                                        3cd7b4a08bc9ff9c4b7e0f2......

1 name=“hsprof1” hotspot-address=192.168.100.254 dns-name=“David.Test” html-directory=hotspot rate-limit=“” http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=https,http-pap

 ssl-certificate=myCa split-user-domain=no use-radius=no

and when I try I get error
“the connection is not private”
NET:ERR_CERT_AUTHORITY_INVALID
and it doesn’t give an option to continue
what do I need to do now?

Thanks ,

agnostic · July 14, 2016, 10:19am

unfortunately all browsers have hardened https mismatches and wont allow continue to sites. the best way is to disable https login and then redirect will only work without https prefix on browser. on windows 7 and newer connecting to hotspots will trigger a popup informing you that you must provide additional details to connect to network and sometimes poping up automatically default browser to login but for this to work you must have your browser start page not to https so it will redirect instantly to hotspot login without problem. if you have clients for your hotspot instruct them to change their browser start page to http instead of https.

agnostic · July 14, 2016, 10:22am

forgot to mention that login with http chap and MAC cookie combined is better because some smartphones or tablets wont work properly otherwise.

fleroviumheron424 · July 19, 2016, 6:39am

You’re right